ID

VAR-201505-0219


CVE

CVE-2015-1880


TITLE

Fortinet FortiOS of sslvpn Login page cross-site scripting vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2015-002671

DESCRIPTION

Cross-site scripting (XSS) vulnerability in the sslvpn login page in Fortinet FortiOS 5.2.x before 5.2.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Fortinet FortiOS is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. Fortinet FortiOS is a set of security operating systems developed by Fortinet Corporation for the FortiGate network security platform. The system provides users with various security functions such as firewall, anti-virus, IPSec/SSL VPN, Web content filtering and anti-spam

Trust: 2.07

sources: NVD: CVE-2015-1880 // JVNDB: JVNDB-2015-002671 // BID: 74652 // VULHUB: VHN-79841 // VULMON: CVE-2015-1880

AFFECTED PRODUCTS

vendor:fortinetmodel:fortiosscope:eqversion:5.2.2

Trust: 1.6

vendor:fortinetmodel:fortiosscope:eqversion:5.2.1

Trust: 1.6

vendor:fortinetmodel:fortiosscope:eqversion:5.2.0

Trust: 1.6

vendor:fortinetmodel:fortiosscope:eqversion:5.2.3

Trust: 0.8

vendor:fortinetmodel:fortiosscope:ltversion:5.2.x

Trust: 0.8

sources: JVNDB: JVNDB-2015-002671 // CNNVD: CNNVD-201505-097 // NVD: CVE-2015-1880

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2015-1880
value: MEDIUM

Trust: 1.0

NVD: CVE-2015-1880
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201505-097
value: MEDIUM

Trust: 0.6

VULHUB: VHN-79841
value: MEDIUM

Trust: 0.1

VULMON: CVE-2015-1880
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2015-1880
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

VULHUB: VHN-79841
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: VULHUB: VHN-79841 // VULMON: CVE-2015-1880 // JVNDB: JVNDB-2015-002671 // CNNVD: CNNVD-201505-097 // NVD: CVE-2015-1880

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.9

sources: VULHUB: VHN-79841 // JVNDB: JVNDB-2015-002671 // NVD: CVE-2015-1880

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201505-097

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201505-097

CONFIGURATIONS

sources: JVNDB: JVNDB-2015-002671

PATCH

title:Multiple products cross-site scripting vulnerabilitiesurl:http://www.fortiguard.com/advisory/FG-IR-15-005/

Trust: 0.8

title:kenzer-templatesurl:https://github.com/Elsfa7-110/kenzer-templates

Trust: 0.1

title:kenzer-templatesurl:https://github.com/ARPSyndicate/kenzer-templates

Trust: 0.1

sources: VULMON: CVE-2015-1880 // JVNDB: JVNDB-2015-002671

EXTERNAL IDS

db:NVDid:CVE-2015-1880

Trust: 2.9

db:BIDid:74652

Trust: 1.5

db:SECTRACKid:1032262

Trust: 1.2

db:SECTRACKid:1032261

Trust: 1.2

db:SECTRACKid:1032264

Trust: 1.2

db:SECTRACKid:1032265

Trust: 1.2

db:JVNDBid:JVNDB-2015-002671

Trust: 0.8

db:CNNVDid:CNNVD-201505-097

Trust: 0.7

db:VULHUBid:VHN-79841

Trust: 0.1

db:VULMONid:CVE-2015-1880

Trust: 0.1

sources: VULHUB: VHN-79841 // VULMON: CVE-2015-1880 // BID: 74652 // JVNDB: JVNDB-2015-002671 // CNNVD: CNNVD-201505-097 // NVD: CVE-2015-1880

REFERENCES

url:http://www.fortiguard.com/advisory/fg-ir-15-005/

Trust: 1.8

url:http://www.securityfocus.com/bid/74652

Trust: 1.3

url:http://www.securitytracker.com/id/1032261

Trust: 1.2

url:http://www.securitytracker.com/id/1032262

Trust: 1.2

url:http://www.securitytracker.com/id/1032264

Trust: 1.2

url:http://www.securitytracker.com/id/1032265

Trust: 1.2

url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-1880

Trust: 0.8

url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2015-1880

Trust: 0.8

url:https://cwe.mitre.org/data/definitions/79.html

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

url:https://github.com/elsfa7-110/kenzer-templates

Trust: 0.1

sources: VULHUB: VHN-79841 // VULMON: CVE-2015-1880 // JVNDB: JVNDB-2015-002671 // CNNVD: CNNVD-201505-097 // NVD: CVE-2015-1880

CREDITS

Jared Haight, William Costa, and Benjamin Kunz Mejri (Vulnerability Laboratory, Evolution Security GmbH)

Trust: 0.3

sources: BID: 74652

SOURCES

db:VULHUBid:VHN-79841
db:VULMONid:CVE-2015-1880
db:BIDid:74652
db:JVNDBid:JVNDB-2015-002671
db:CNNVDid:CNNVD-201505-097
db:NVDid:CVE-2015-1880

LAST UPDATE DATE

2024-08-14T13:47:42.619000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-79841date:2017-01-03T00:00:00
db:VULMONid:CVE-2015-1880date:2017-01-03T00:00:00
db:BIDid:74652date:2015-05-14T00:00:00
db:JVNDBid:JVNDB-2015-002671date:2015-05-18T00:00:00
db:CNNVDid:CNNVD-201505-097date:2015-05-13T00:00:00
db:NVDid:CVE-2015-1880date:2017-01-03T18:39:40.913

SOURCES RELEASE DATE

db:VULHUBid:VHN-79841date:2015-05-12T00:00:00
db:VULMONid:CVE-2015-1880date:2015-05-12T00:00:00
db:BIDid:74652date:2015-05-14T00:00:00
db:JVNDBid:JVNDB-2015-002671date:2015-05-18T00:00:00
db:CNNVDid:CNNVD-201505-097date:2015-05-13T00:00:00
db:NVDid:CVE-2015-1880date:2015-05-12T19:59:08.053